Moving Target: Playing Catch-Up in Cybersecurity

Share this:

Cybersecurity is a moving target across every industry. Although not a new concept in medical devices, the maturity level is comparatively low versus other business sectors. One of the biggest issues that devices face is postmarket vulnerability—the longer a product is on the market, the greater the opportunity for threats. And taking into consideration the industry’s low maturity level in this area, many devices already on the market were not built with the intent of having robust security.

“It’s the dynamic nature of these issues that I think lends cybersecurity to be such a challenge for us, because [of the] dynamic threats—in other words, we ship a device into the field and later we learn of a vulnerability and have to go mediate that vulnerability,” said Eric Soederberg, president and CEO of Sunrise Labs at the MedTechIntelligencemHealth for Medical Device Manufacturers conference last month. “That requires us to go fix things in the field, and maybe even plan to do that on a regular basis. And changing something in the field is something that, as a product development person working on medical devices, you spend your whole career trying to avoid. This is a whole new mindset.”

“There isn’t an expectation that every time a new threat is identified or a vulnerability is identified that FDA expects manufacturers to come to the agency with new submission,” said Susan Schwartz, M.D., associate director for science & strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures at CDRH, who participated in an expert panel during the conference. “We’ve provided enough latitude that should incentivize their behavior.” What the agency would like to see, Schwartz added, is for larger organizations that are championing cybersecurity to help the smaller groups, along with industry adoption of vulnerability disclosure agreements.

Where medical device manufacturers can have the greatest impact on addressing cybersecurity concerns is obviously, similar to any consideration that goes into the product development process, during the design concept phase. Instead of taking a bolt-on approach, manufacturers should design-in security as part of this process. They should also use threat modeling to understand how they need to protect the device, and do so on a constant basis because threats are changing all the time, recommended Colin Morgan, head of global product security at Johnson & Johnson. Is the device used in the hospital or does a patient wear it on a daily basis? “Set core requirements that aligns to the FDA guidance and NIST,” said Morgan. “If you’re passing patient data, you should always encrypt it.”

When looking at software, open source has grown in popularity over the past few years, because it provides more flexibility versus purchasing off-the-shelf products, but with it comes a greater risk of vulnerability, said Morgan. Software moves quickly, and open source packages are maintained faster, so companies need to maintain constant vigilance to ensure they’re running the latest version. Companies should have a good handle on the type of software that is built into their products in order to understand how they can best manage the systems.

Currently, the biggest healthcare threats are breaches related to personally identifiable information (PII; especially bulk PII breaches), protected health information (PHI), and payment card information (PCI). With the majority of cybersecurity threats coming from overseas, the FBI is taking proactive measures to mitigate the threat, using a whole-of-government approach. According to John Riggi, cyber outreach section chief of the FBI’s Cyber Division, the FBI’s role in cybersecurity is three-pronged: investigation, attribution and disruption. He encourages device manufacturers to establish a relationship with their local field FBI office before an incident happens. “Those trusted personal contacts are absolutely critical during a crisis, should you have an incident,” said Riggi. “It humanizes the FBI—you understand what our focus is and the fact that we’re looking to treat you, if you are the subject of an intrusion, as a victim first…In the preincident mode, we’re looking to share information [and] intelligence, which may help the company defend itself.”

Every FBI field office has a cyber task office (there are currently 56 field offices and 400 sub-offices). Riggi encouraged that companies find their local field office on the FBI’s website and once located, reach out to the cyber taskforce supervisor. The agency also has a Cyber Watch (CyWatch) center that companies can contact if they uncover an intrusion or loss of data (the center is open 24 hours a day/7 days a week at 855-292-3937). “The best time to make friends is not when you need them, so that’s why we highly encourage having those relationships first,” said Riggi. “Should you have a problem, the FBI can respond in a multi-tiered manner.” At the local level, the agency has cyber-investigators, computer analysis, and forensic teams who act as the “first responders” to the problem, and should a major intrusion of national significance occur, the FBI will deploy national resources.

Riggi also clarified that the FBI’s role does not necessarily involve FDA when it investigates an intrusion. “We’re not the regulators, and we’re not calling the regulators unless there’s a health and safety issue.”

Although the cybersecurity environment for medical devices is particularly complex at the moment, don’t expect to see specific regulations any time soon. “Our [FDA’s] position [is that]—by alignment with the quality system regulation, we don’t see a future need for regulation happening with regards to medical device security,” said Schwartz. The agency instead believes in taking a flexible approach via guidance, which enables technologies that are constantly evolving and advancing. “There’s a lot of discussion about this issue—if it’s not a regulation, how can you enforce it?” said Schwartz. “If it’s in the guidance, we still expect manufacturers to follow it.”

About The Author

Maria Fontanazza has more than a decade of experience in journalism, marketing, and communications within the medical device industry. She was previously marketing communications manager and market research manager at Secant Medical, Inc., a manufacturer of biomedical textiles and advanced biomaterials. Fontanazza was also an editor at MD+DI and has authored articles that have appeared in domestic and international industry publications. Fontanazza has a B.A. in Journalism and Mass Communications with a concentration in New Media and Visual Design, and a Minor in Fine Arts, from St. Michael’s College in Colchester, VT. Follow her industry insights on Twitter at @MariaFontanazza. Contact Maria

Upcoming Events & Webinars

Deficiencies in process validation and other aspects of production and process control earn more FDA enforcement actions than any other quality function except CAPA. This two-day workshop addresses key issues in process validation, including risk-based determination of processes to be validated, FDA and 13485:2016 requirements, key process validation elements and best practices, statistical and other tools, maintaining the validated state, and documentation.

The medical technology industry is witnessing a growing number of mergers and acquisitions, and poses a unique set of challenges when it comes to due diligence. This interactive conference, mixing didactic sessions with discussion and case studies, is led by senior industry professionals who have gone through mergers and acquisitions and seen both the good and the bad, focuses on those issues unique to medical technology companies.

Rules and procedures for import and export of medical devices are growing more so with new rules and with changes in international trade agreements. Customs and FDA have been requesting more information and conducting more inspections and examinations than before. Mistakes in procedures or documentation can lead to withheld or seized shipments and consequent financial lost to U.S. and foreign manufacturers, suppliers, and brokers. This one-day program with speakers from government, industry, and consulting firms will cover the laws and regulations, recent changes, procedures, best practices, and common mistakes.

The regulations are there for anyone to read, but even the largest, best-prepared companies have large teams struggling with implementation. There is no easy answer, but we are all in this together, and by pooling thoughts and solutions can expedite the process for everyone. This two-day workshop convenes experts from major companies, notified bodies, and consulting firms to share strategies, procedures, experiences, and challenges.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.

We also use cookies to store your preferences regarding the setting of 3rd Party Cookies.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Tracking Beacon

We also use a Tracking Beacon from our email services provider Act-On that allows us to track interest in articles and subject areas of interest to our Newsletter Subscribers.

Keeping this beacon enabled helps us in deciding the topics that are of interest to our Newsletter Subscribers.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Cookie Policy

A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.

Our Privacy Policy explains how we collect and use information from and about you when you use This website and certain other Innovative Publishing Co LLC services. This policy explains more about how we use cookies and your related choices.

How We Use Cookies

Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.

In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.

You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.

Individuals may opt-out of 3rd Party Cookies used on IPC websites by adjusting your cookie preferences through this Cookie Preferences tool, or by setting web browser settings to refuse cookies and similar tracking mechanisms. Please note that web browsers operate using different identifiers. As such, you must adjust your settings in each web browser and for each computer or device on which you would like to opt-out on. Further, if you simply delete your cookies, you will need to remove cookies from your device after every visit to the websites. You may download a browser plugin that will help you maintain your opt-out choices by visiting www.aboutads.info/pmc. You may block cookies entirely by disabling cookie use in your browser or by setting your browser to ask for your permission before setting a cookie. Blocking cookies entirely may cause some websites to work incorrectly or less effectively.

The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.